Matomo Analytics

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Matomo analytics helper with some normal privacy and command-safety cautions, not evidence of malware.

Install only if you trust the Matomo site and token scope you provide. Use a least-privilege Matomo token, review ~/matomo/memory.md on shared machines, and ensure any curl commands are run with properly quoted and validated values.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The setup instructs the agent to persist user analytics context in `~/matomo/memory.md`, including site names, idSite values, business priorities, and a credential reference, but it does not explicitly warn the user that this information will be written to disk. Even though it avoids storing the actual token, writing analytics metadata to a local file without clear disclosure can create unintended privacy exposure, especially on shared machines or systems with weak file permissions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal